Access to the Axiom dashboard requires an active account provisioned by your Axiom administrator. You will receive login credentials and will be prompted to enroll in multi-factor authentication (MFA) on first login. Dashboard access is at sovereign.tenova.io/login. Contact your ISSM or system administrator if you do not have credentials.
Axiom Sovereign Engine is an agentless, continuous compliance platform that evaluates your system's security posture against federal frameworks in real time. Unlike legacy GRC tools that rely on manual spreadsheet entry and periodic spot-checks, Axiom pulls evidence directly from live infrastructure and maps it to control objectives automatically.
| Capability | Legacy GRC | Axiom |
|---|---|---|
| Evidence collection | Manual uploads, quarterly | Automated, continuous |
| Control mapping | Single framework | 13 frameworks, 216 controls |
| Assessment readiness | Months of prep | Always-current mock assessment |
| OSCAL output | Manual authoring | Machine-generated, NIST-validated |
| Integrity | Trust-based | SWT3 cryptographic anchors |
Axiom maps 216 controls across 13 frameworks: NIST 800-53 Rev 5, CMMC v2.0, NIST 800-171 Rev 2, NIST 800-53A Rev 5, FedRAMP Moderate, DoD RMF, and NIST AI RMF.
The Sovereign Watermark and Tamper-proof Trust Tether (SWT3) is Axiom's integrity protocol. Every score calculation, evidence snapshot, and OSCAL export is cryptographically anchored with a SHA-256 hash chain. This means scores cannot be retroactively altered, and any exported document can be independently verified as untampered.
The Sovereign Score is a single 0-100 metric representing your system's compliance posture. It is the primary indicator you will use to gauge authorization readiness.
The score is a weighted aggregate of three evidence categories:
| Category | Weight | Meaning |
|---|---|---|
| Technical | ~50% | Machine-verified evidence: scans, configurations, logs pulled from live systems |
| Attestation | ~30% | Human-affirmed: policies, procedures, organizational processes signed off by responsible parties |
| Inherited | ~20% | Controls satisfied by the hosting provider or shared-services layer (e.g., physical security in a FedRAMP-authorized cloud) |
The dashboard distinguishes between verified (machine-confirmed) and attested (human-confirmed) evidence. As AO, pay attention to the ratio: a score heavily weighted toward attestation may indicate gaps in technical automation. Axiom surfaces this breakdown so you can ask informed questions during authorization reviews.
The Executive Summary is your primary decision-support view. Access it from the dashboard landing page or via /executive-summary.
| Section | What It Tells You |
|---|---|
| Score Gauge | Current Sovereign Score with trend arrow. Green (>= 80), amber (60-79), red (< 60). |
| KPI Tiles | Controls satisfied, POA&Ms open, days since last scan, STIG findings count. |
| Family Breakdown | Per-family compliance percentage across all 17 NIST 800-53 families. Identifies weak areas at a glance. |
| Integrity Bar | SWT3 chain status: green if unbroken, red if any anchor fails verification. |
Axiom flags controls designated as GSA "showstoppers" - findings that will halt an authorization regardless of overall score. The executive summary surfaces these prominently. Zero showstoppers is a prerequisite for any favorable authorization decision.
STIG findings are categorized as CAT I (critical), CAT II (significant), or CAT III (low). The summary displays the distribution so you can assess residual risk. Open CAT I findings should receive immediate attention before authorization.
For organizations managing multiple systems, the Portfolio View at /portfolio provides aggregate scoring across all enclaves.
Axiom generates a complete OSCAL (Open Security Controls Assessment Language) authorization package in machine-readable JSON format.
| Document | Purpose | Key Review Points |
|---|---|---|
| SSP | System Security Plan | Control narratives, responsible roles, implementation status per objective |
| POA&M | Plan of Action and Milestones | Open findings, risk ratings, scheduled remediation dates, responsible parties |
| AR | Assessment Results | Objective-level pass/fail, evidence references, observation notes |
All OSCAL exports are validated against the official NIST OSCAL schema. The export page displays validation status: a green badge means the document passes schema validation and can be ingested by any OSCAL-compliant tool (e.g., GSA's repository).
Each exported document includes an SWT3 anchor hash in its metadata. This hash ties the document to the score state at the moment of export. If the system posture changes after export, the dashboard will flag the document as stale, prompting a fresh export.
The Mock Assessment evaluates your system against 2,304 assessment objectives derived from NIST 800-53A. This mirrors what a 3PAO or assessment team will evaluate.
| Level | Meaning | AO Implication |
|---|---|---|
| FULL | All assessment objectives for the control have verified or attested evidence | Ready for assessment |
| PARTIAL | Some objectives met, others lack evidence | Remediation needed before assessment |
| NONE | No evidence mapped to any objective for this control | Significant gap requiring action plan |
Axiom reports these levels honestly. A PARTIAL rating means real gaps exist - it is not rounded up. The gap list enumerates every unmet objective with the specific evidence type required.
Each of the 17 control families receives a readiness percentage. Families below 70% should be reviewed with the ISSM to understand remediation timelines before scheduling a formal assessment.
The mock assessment identifies controls that require personnel interviews during formal assessment. Axiom lists the roles that will be questioned and the topics they should be prepared to discuss, giving your team advance preparation time.
The trend chart shows Sovereign Score history over 30, 60, and 90-day windows. Look for sustained upward trajectory before authorization. A declining or volatile score suggests unresolved operational issues.
Active POA&M items are tracked with milestone dates. Overdue milestones are flagged red. Before authorizing, confirm that all open POA&Ms have realistic milestones and assigned owners.
Axiom cross-references your system inventory against the CISA Known Exploited Vulnerabilities (KEV) catalog. Any KEV match is a high-priority risk indicator. Systems with unmitigated KEV findings carry elevated risk that should factor into your authorization decision.
Axiom continuously monitors for configuration drift from the approved baseline. Drift events appear in the timeline and trigger score recalculation. Persistent drift patterns may indicate process failures that require corrective action before authorization.
Every score snapshot and export is anchored with a SHA-256 hash. The anchor chain is append-only: past entries cannot be modified without breaking the chain. A green integrity bar on the dashboard confirms the chain is intact.
Each enclave maintains its own independent hash chain. When reviewing a multi-enclave portfolio, verify that every enclave shows a green integrity status. A broken chain in any enclave should halt authorization until the cause is investigated.
The Assessor Workbench provides an independent verification interface where assessors (or your staff) can validate any SWT3 anchor by entering its hash. This supports the zero-trust principle: you do not need to trust the dashboard display alone.
Use this checklist to determine whether the system is ready for an authorization decision. All items should be confirmed before signing.